Kernel/initrd files are essentially read-only shareable images and
thus
should be handled in the same way. We already use the appropriate label
for kernel/initrd files when starting a domain, but when a domain gets
destroyed we would remove the labels which would make other running
domains using the same files very unhappy.
https://bugzilla.redhat.com/show_bug.cgi?id=921135
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
src/security/security_dac.c | 8 --------
src/security/security_selinux.c | 8 --------
2 files changed, 16 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 80709fe..378b922 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1128,14 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
rc = -1;
- if (def->os.kernel &&
- virSecurityDACRestoreFileLabel(priv, def->os.kernel) < 0)
- rc = -1;
-
- if (def->os.initrd &&
- virSecurityDACRestoreFileLabel(priv, def->os.initrd) < 0)
- rc = -1;
-
if (def->os.dtb &&
virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
rc = -1;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 721c451..475cdbc 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2034,14 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1;
- if (def->os.kernel &&
- virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel) < 0)
- rc = -1;
-
- if (def->os.initrd &&
- virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd) < 0)
- rc = -1;
-
if (def->os.dtb &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
rc = -1;
ACK
but I'm wondering if the nvram and dtb lines before & after would
potentially suffer the same problem
Regards,
Daniel
--
|: